Global Privacy Dispatches- France

“You book a plane ticket to New York on the Internet. Two days later, while reading your newspaper online, you’re offered an attractive deal on a rental car in New York. This is not a mere coincidence: this is targeted advertising, as it is developing more and more on the Internet.”

So begins the CNIL report about online targeted advertising, which was presented to the commissioners in plenary session earlier this year and recently released publicly.

It’s a fact, most content providers and search engines allow Internet users access to a lot of information and entertainment, free of charge. But there is a price to pay at one time or another: data to feed the advertising business; advertising being the main source of income of the Internet.

IP addresses, Internet search keywords, browsing histories, registration data, social networking tidbits, visualized ads, and even e-mails’ content, you name it... Any information about Internet visits and visitors potentially is analyzed to determine what advertising will correspond best to them or to their profile.

The 30-page CNIL report aims to review the privacy risks associated with online targeted advertising and provide potential answers. It also serves to open a debate among authorities that could lead to improved business practices.

The report details the various types of online advertising—personalized (common type), contextual, or behavioural—and the distribution channels for advertisements, such as Web sites (content providers) or advertising agencies that deal with several Web sites and, therefore, have more opportunities to obtain a large amount of Internet users’ data.

The report educates readers on various user-tracking and profile-creation techniques, which rely on data provided by the Internet user, himself, or on demographic assumptions made about a user based on pages visited. It also describes the models of Amazon, Google, Facebook, Linked-In, Tacoda/ AOL, and Phorm.

Technological and economic changes in e-companies’ business models are a source of concern. More and more, companies, by diversification or acquisition (e.g. Yahoo and Google) are simultaneously content providers, service providers (Internet access, e-mail, search engine…) and advertising agencies, thus having the opportunity to aggregate data about users collected via different means.

Therefore, the concentration of actors and data sources is seen as a potential risk to privacy, in particular, as individuals do not realize the impact this may have on the processing of personal data. Exacerbating these risks is the fact the CNIL finds that opt-out mechanisms (e.g. opt-out cookies) do not work properly in practice.If advertising agencies were to share data they collect with businesses such as banks, insurance companies, or recruiters, selections and assessments of consumers and candidates could be made based on assumptions about their health, finances, or other sensitive information, without individuals being fully aware of it. The authority views this as a real threat.

The report underlines the challenges online targeted advertising presents to data protection authorities.The first key legal issue is to determine whether the processed data is “personal,” thereby triggering the application of data protection rules. To a large extent, the report refers to the G29 opinion on the notion of personal data. That group’s decision concluded that, if profile data such as age, gender, or location is linked to an identifier (IP address or identifier placed in a tracking cookie) that can be linked to an identified or identifiable individual, the data is “personal.” The CNIL rules out all attempts to claim that the data used for online advertising is anonymous.Referring to the G29 opinion on search engines, the CNIL believes that European data protection laws should apply even if businesses are headquartered outside of the EU.

Once these interpretations are made, the main question to address is how individuals can be properly informed of the processing activities carried out to target them so they can exercise their opt-out or opt-in rights.

The CNIL stresses the need to debate about applicable law, data retention, and notices of profiling. It suggests the drafting of template notices and codes of good practices. In addition, the CNIL calls for better public sensitization on tools to let users control or disable tracking devices, and for the promotion of privacy-compliant tools and services via labelization.

This is clearly a first-stage report to show the authority’s intention to tackle the matter and to bring this sector of economy in line with European data protection principles.French ISP sanctioned under Data Protection Act

The CNIL sanctioned Neuf-CI, one of the main Internet access providers in France, for lack of transparency in dealing with a customer access request. The company was reluctant to address the request, which was first rejected for “confidentiality and security reasons.” Later, the company agreed to provide the customer with her subscription data (name, contact details, bank details), but failed to provide her with data recorded in the customer databases (invoices, call numbers, dealings with the customer service department), even after an injunction from the CNIL.

The company claimed that the lacking response was due to the merger between Neuf-Cegetel and Club Internet, which created some disorganization. Still, the CNIL considered that a full response should have followed the customer’s request. It also noted that the company’s policies on personal data, which had been drafted a year earlier, were still at a draft stage. Sanction: 7000 Euros.

Pascale Gelly and Elisabeth Quillatre of the French law firm Cabinet Gelly can be reached at pg@pascalegelly.com.

0 Comments

If you want to comment on this post, you need to login

Related

Google has been given leave to appeal a decision that users can claim damages for a breach of the UK Data Protection Act (DPA). The Supreme Court ruled on Tuesday that the Google v. Vidal-Hall case, referred to by IAPP VP of Research and Education Omer Tene as the "European Privacy Judicial Decision of a Decade," can go back to court yet again
Read more

Given what they saw as a lack of regulations to protect consumers against potential harms as a result of increasingly pervasive and surreptitious online tracking, college buddies Chandler Givens and Ryan Flach have decided to do something about it themselves. Last week, they launched TrackOFF, software designed to allow consumers to combat digital tracking from their own computers.
Read more

Next week, Ellen Giblin, CIPP/C, CIPP/G, CIPP/US, will start the job she’s been waiting for most of her adult life. But the fact that she’s landed a position there is in no way accidental. She’s been very strategic about each line she’s added to her resume.
Read more

Whether you are a privacy professional practicing in the EU or not, you’ve probably been watching the headlines this summer about the EU’s General Data Protection Regulation (GDPR) and the ongoing trilogue process. After all, the GDPR is expected to have far-reaching implications for organizations—and anyone who works in privacy—well beyond the EU’s borders. It’s probably not a surprise, then, that the IAPP Europe Data Protection Congress 2015 will feature keynotes and educational sessions to help you prepare for the changes the GDPR is sure to bring with it.
Read more

In June, mobile identity company TeleSign commissioned a study on consumers’ concerns about online security and their exposure to breaches. It found that, amidst increasing reports of well publicized breaches, 80 percent of consumers are worried about their online security and 40 percent have experienced a security incident within the past year. It also found that 73 percent of online accounts use the duplicated passwords and more than half of consumers use five or fewer passwords across their entire online life. Given statistics like those, TeleSign has launched a campaign aimed at educating consumers on what it says is the future of mobile identity, two-factor authentication.
Read more

Tags

The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.Learn more

The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.